Cross-Site Scripting in Grist Spreadsheet Software by Grist Labs
CVE-2026-55659
What is CVE-2026-55659?
Several server-rendered pages in Grist, a Python-based spreadsheet application, improperly handled user-controlled values, leading to potential cross-site scripting vulnerabilities. This issue allowed malicious users to exploit the application by injecting scripts into the pages rendered for other users. Specifically, document names and descriptions could be manipulated, while the OAuth2 end-of-flow page reflected harmful input back into the webpage. If successful, this exploitation enabled attackers to execute scripts within the context of an authenticated session, potentially allowing them to escalate privileges to owner level and compromise document sharing and access settings. This vulnerability was addressed in version 1.7.15.
Affected Version(s)
grist-core < 1.7.15
